Permission issue on /usr/local/libexec prevents using plugins from /usr/libexec #5643
Description
Description
I think there is a bug in how docker cli resolves the plugin paths. Described also in https://discussion.fedoraproject.org/t/docker-plugins-on-f41-not-working/138199/9
Given a directory /usr/libexec/docker/cli-plugins with correct permissions (root:root 755) and a plugin /usr/libexec/docker/cli-plugins/docker-buildx, if we create a directory /usr/local/libexec with permissions (root:root 750), running docker build fails as it won't find buildx.
I suspect that as docker-cli checks for plugins in the directories in the precedence order, if any of the directories is not accessible, the plugin search fails and directories specified later in the precedence order will not be checked and thus plugins in other folder won't be found.
The workaround is easy to just fix the permissions, so not a big problem. But I would expect docker-cli to skip such directory as it does with non-existent directories.
Reproduce
- Given docker plugin
/usr/libexec/docker/cli-plugins/docker-buildx - Remove non-root access from a higher precedence plugin folder
chmod 750 /usr/local/libexec - Try to run the plugin via docker-cli
docker buildx - It fails with
docker: 'buildx' is not a docker command.
Expected behavior
docker buildx works, because the plugin under /usr/libexec/docker/cli-plugins is still accessible.
docker version
Client:
Version: 27.3.1
API version: 1.41 (downgraded from 1.47)
Go version: go1.23.1
Git commit: 2.fc41
Built: Tue Sep 24 00:00:00 2024
OS/Arch: linux/amd64
Context: default
Server: linux/amd64/fedora-41
Podman Engine:
Version: 5.2.5
APIVersion: 5.2.5
Arch: amd64
BuildTime: 2024-10-18T02:00:00+02:00
Experimental: false
GitCommit:
GoVersion: go1.23.2
KernelVersion: 6.11.8-300.fc41.x86_64
MinAPIVersion: 4.0.0
Os: linux
Conmon:
Version: conmon version 2.1.12, commit:
Package: conmon-2.1.12-3.fc41.x86_64
OCI Runtime (crun):
Version: crun version 1.18.1
commit: c41f034fdbb9742c395085fc98459c94ad1f9aae
rundir: /run/user/3000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
Package: crun-1.18.1-1.fc41.x86_64
Engine:
Version: 5.2.5
API version: 1.41 (minimum version 1.24)
Go version: go1.23.2
Git commit:
Built: Fri Oct 18 02:00:00 2024
OS/Arch: linux/amd64
Experimental: falsedocker info
➜ ~ docker info
Client:
Version: 27.3.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: 0.18.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.23.1
Path: /usr/local/lib/docker/cli-plugins/docker-compose
Server:
Containers: 4
Running: 2
Paused: 0
Stopped: 2
Images: 20
Server Version: 5.2.5
Storage Driver: overlay
Backing Filesystem: btrfs
Supports d_type: true
Native Overlay Diff: true
Using metacopy: false
Supports shifting: false
Supports volatile: true
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge macvlan ipvlan
Log: k8s-file none passthrough journald
Swarm: inactive
Runtimes: crun crun-vm kata ocijail youki crun-wasm krun runc runj runsc
Default Runtime: crun
Init Binary:
containerd version:
runc version:
init version:
Security Options:
seccomp
Profile: default
rootless
selinux
Kernel Version: 6.11.8-300.fc41.x86_64
Operating System: fedora
OSType: linux
Architecture: amd64
CPUs: 12
Total Memory: 31.19GiB
Name: eli
ID: 09ac0646-46a4-4440-950a-65af1d419340
Docker Root Dir: /var/home/mihalyr/.local/share/containers/storage
Debug Mode: false
Experimental: true
Live Restore Enabled: false
Product License: Apache-2.0Additional Info
No response
